Here's an unsettling fact for anyone thinking of buying shares in a newly public company: Even if its executives know their internal accounting systems are a wreck, they aren't required to disclose this until after the company goes public.

It's a lesson Groupon shareholders have learned the hard way. Groupon shares fell 17 percent April 2 after the online coupon company said it had identified a "material weakness" in its internal controls over financial reporting, as of Dec. 31.

The Chicago-based company also revised its fourth-quarter results to show lower revenue and a larger loss, after finding errors in its accounting for customer refunds. At $11.13, the stock now sells for 57 percent less than it did after the first day of trading.

Given that Groupon went public only last November, the latest news raises the question: Didn't Groupon know before its initial public offering that its controls were weak? A company spokesman, Paul Taaffe, declined to comment. Let's assume for the moment, though, that its executives did know. Even then, they wouldn't have had to tell investors beforehand.

There is no requirement to disclose a control weakness in a company's IPO prospectus. Groupon had no obligation to disclose the problem until it filed its first quarterly or annual report as a public company, which it did. Sandbagging IPO investors in this manner is perfectly legal.

The reason lies with a gaping hole in the Sarbanes-Oxley Act, which Congress passed in 2002 in response to the accounting scandals at Enron and WorldCom. That statute had two main sections related to companies' internal controls, which are the systems and processes that companies are supposed to have to ensure the information they report is accurate. Those provisions apply only to companies that are public already, not ones that have registered for IPOs.

One section, called 302, requires public companies' top executives to evaluate each quarter whether their disclosure controls and procedures are effective. The other section, known as 404, is better known. It requires public companies in their annual reports to include assessments by management and outside auditors about the effectiveness of their internal controls over financial reporting. Congress left it to the Securities and Exchange Commission to write the rules implementing those provisions.

Here's where it gets tricky. Groupon reported the weakness in its financial-reporting controls through a Section 302 disclosure, not a Section 404 report. The problem was serious enough that it amounted to a shortcoming in the company's disclosure controls.

Groupon won't have to comply with Section 404's requirements until its second annual report, due next year, under an exemption the SEC passed in 2006 for newly public companies. Likewise, Groupon's auditor, Ernst & Young, to date has expressed no opinion on the company's internal controls in its audit reports.

Groupon's IPO prospectus cautioned that future disclosures about control weaknesses were possible. It also said the company had only "recently filled a number of positions in our senior management and finance and accounting staff." But the prospectus made no representation about whether Groupon's controls were effective at the time. None was required.

"There is no requirement to disclose a material weakness in the prospectus," said SEC spokeswoman Judith Burns, speaking broadly, not about any specific company.

Give credit where it's due: Two accounting professors who made the perfect call on Groupon are Anthony Catanach, at Villanova University, and Edward Ketz, at Pennsylvania State University.

"It is absolutely ludicrous to think that Groupon is anywhere close to having an effective set of internal controls over financial reporting, having done 17 acquisitions in a little over a year," the pair wrote Aug. 24 on their blog, Grumpy Old Accountants. "When a company expands to 45 countries, grows merchants from 212 to 78,466, and expands its employee base from 37 to 9,625 in only two years, there is little doubt that internal controls are not working somewhere."

Even before going public, Groupon restated its financial reports in September to correct errors in the way it reported revenue, which slashed 2010 sales to $312.9 million from $713.4 million. That alone should have flagged to investors that Groupon's controls were lacking. Nonetheless, the stock market acted as if it was surprised.

The debacle at Groupon has drawn comparisons with the new securities legislation that President Obama just signed into law.

The act lets newly public companies go five years without providing internal-control reports by outside auditors, as long as annual revenue is less than $1 billion. (Groupon reported 2011 revenue of $1.6 billion.)

The change comes after the Dodd-Frank Act in 2010 permanently exempted companies with less than $75 million of freely tradable shares from meeting this requirement, which means most U.S. public companies.

The new law will reduce disclosure obligations in many other ways. Pre-IPO correspondence between companies and the SEC's staff initially would be stamped secret, for example. The act is a lurch in the opposite direction of what is needed.

Let's not fool ourselves, though. The existing protections for IPO investors were feeble before the new law. That Groupon could stay mum for so long about any control weaknesses it had, legally, is merely the latest evidence. There is only one solution for investors who aren't insiders: Never buy stock in a company that just went public.